Debating the merits of vulnerability scans and penetration tests

Companies are struggling to keep up with a barrage of network security nightmares, including viruses, worms and hacker attacks. This makes it more difficult to protect core assets, such as sensitive personnel information, customers' credit card numbers and intellectual property. There are frequent reports of supposedly secure networks failing, resulting in lost revenue and damaged reputations.

To combat these increasing threats, network administrators must choose from a host of products, services and practices. Two common solutions are penetration testing and vulnerability scanning. These solutions are often lumped together, but there are significant differences between them. Vulnerability scans identify potential problems based on an evaluation of a network's defenses and known vulnerabilities. Penetration testing reveals more information about a network by actively attacking a system, probing all defenses and revealing real, not theoretical, vulnerabilities.

Both methods have an important role in testing network security. At Core Security Technologies, we recognize the importance of vulnerability scanning, use it in our consulting practice and partner with several companies that provide this technology. But while vulnerability scanning is a good first step, it shouldn't be considered the final step, because it doesn't answer the fundamental question, "Is my network secure?"

Vulnerability scanning does not address the implications of an intrusion, leaving network administrators to determine if a vulnerability is real or a false positive, if it can be exploited and what risk it poses to a network. Without determining the true threat to a network, administrators must devote resources to patching every vulnerability, often wasting significant time and effort patching systems that may not require it.

A penetration test is an authorized attempt to breach the security defenses of a system using the techniques of hackers, worms and viruses. With a penetration test, you exploit vulnerabilities in your network and try to replicate the kinds of access a hacker could achieve and identify which resources are exposed. The results go far beyond the data yielded by a vulnerability assessment. An administrator is able not only to quickly identify and prioritize real vulnerabilities but also to gain insight into the effectiveness of other security measures in place.

Some proponents of vulnerability scans say running a penetration test puts a network service at risk for downtime and using exploits could compromise the network's integrity. However, with a commercial-grade automated product, penetration testing can be conducted in a safe manner and poses less risk than most vulnerability scanners.

Vulnerability scanning is an excellent first step for a penetration test, but it's important to go further. Without running a penetration test, network administrators cannot be certain that their networks can withstand an attack. A penetration test can identify and eliminate real paths of attack.

Paget is CEO of Core Security Technologies. He can be reached at paul.paget@coresecurity.com.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.